lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 14 Dec 2011 01:29:44 +0100
From: Tavis Ormandy <taviso@...xchg8b.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

Marsh Ray <marsh@...endedsubset.com> wrote:
> > But now if we successfully convince every developer on the planet to
> > stop using HTTP redirection, that doesn't change that the user doesnt
> > know how to determine if the URL is trusted or not, so we just use one
> > of dozens of other simple tricks.
> >
> > Surely the correct solution is to educate those users who are doing it
> > incorrectly.
> 
> I am in complete agreement with you.
> 
> Let's say you are a bank that has just invested in a successful
> anti-phishing user education campaign. All the users have been trained to
> look beneath the HTML in emails, not to accept invalid SSL certificates,
> and only follow "legitimate" links that look like:
> 
>       https://*.examplebank.com/
> 
> At that point an open redirect is found under your site, such that
>
https://onlinebanking.examplebank.com/confirm.aspx?customerid=1234&return=http%3a%2f%2fpwn%2ely
> drives the browser to the attacker's phishing site.
> 
> Does this represent a vulnerability?
> 
> - Marsh

So they've trained their users to parse and understand html, can decode
complex documents manually, and understand the difference between anchor
text and destination. They can decipher complex URLs using any of the
obscure syntax supported, and understand the heirarchichal nature of the
domain name system. They've also learned how to verify SSL certificates
without clicking on links (perhaps using openssl s_client?).

Bizarrely, they've also been convinced to never read the address bar (which
is really all they needed to do from the start instead of the hours of
training requiring them to reach this level).

Then yes, you have a vulnerability. However, it's in the criminally
negligent training material provided by the bank :-)

Tavis.

-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ